/crypto/heimdal/kadmin/mod.c
C | 263 lines | 199 code | 32 blank | 32 comment | 45 complexity | 3013d2f36c60591992d978059599aeae MD5 | raw file
1/* 2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Hรถgskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "kadmin_locl.h" 35#include "kadmin-commands.h" 36 37static void 38add_tl(kadm5_principal_ent_rec *princ, int type, krb5_data *data) 39{ 40 krb5_tl_data *tl, **ptl; 41 42 tl = ecalloc(1, sizeof(*tl)); 43 tl->tl_data_next = NULL; 44 tl->tl_data_type = KRB5_TL_EXTENSION; 45 tl->tl_data_length = data->length; 46 tl->tl_data_contents = data->data; 47 48 princ->n_tl_data++; 49 ptl = &princ->tl_data; 50 while (*ptl != NULL) 51 ptl = &(*ptl)->tl_data_next; 52 *ptl = tl; 53 54 return; 55} 56 57static void 58add_constrained_delegation(krb5_context contextp, 59 kadm5_principal_ent_rec *princ, 60 struct getarg_strings *strings) 61{ 62 krb5_error_code ret; 63 HDB_extension ext; 64 krb5_data buf; 65 size_t size = 0; 66 67 memset(&ext, 0, sizeof(ext)); 68 ext.mandatory = FALSE; 69 ext.data.element = choice_HDB_extension_data_allowed_to_delegate_to; 70 71 if (strings->num_strings == 1 && strings->strings[0][0] == '\0') { 72 ext.data.u.allowed_to_delegate_to.val = NULL; 73 ext.data.u.allowed_to_delegate_to.len = 0; 74 } else { 75 krb5_principal p; 76 int i; 77 78 ext.data.u.allowed_to_delegate_to.val = 79 calloc(strings->num_strings, 80 sizeof(ext.data.u.allowed_to_delegate_to.val[0])); 81 ext.data.u.allowed_to_delegate_to.len = strings->num_strings; 82 83 for (i = 0; i < strings->num_strings; i++) { 84 ret = krb5_parse_name(contextp, strings->strings[i], &p); 85 if (ret) 86 abort(); 87 ret = copy_Principal(p, &ext.data.u.allowed_to_delegate_to.val[i]); 88 if (ret) 89 abort(); 90 krb5_free_principal(contextp, p); 91 } 92 } 93 94 ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length, 95 &ext, &size, ret); 96 free_HDB_extension(&ext); 97 if (ret) 98 abort(); 99 if (buf.length != size) 100 abort(); 101 102 add_tl(princ, KRB5_TL_EXTENSION, &buf); 103} 104 105static void 106add_aliases(krb5_context contextp, kadm5_principal_ent_rec *princ, 107 struct getarg_strings *strings) 108{ 109 krb5_error_code ret; 110 HDB_extension ext; 111 krb5_data buf; 112 krb5_principal p; 113 size_t size = 0; 114 int i; 115 116 memset(&ext, 0, sizeof(ext)); 117 ext.mandatory = FALSE; 118 ext.data.element = choice_HDB_extension_data_aliases; 119 ext.data.u.aliases.case_insensitive = 0; 120 121 if (strings->num_strings == 1 && strings->strings[0][0] == '\0') { 122 ext.data.u.aliases.aliases.val = NULL; 123 ext.data.u.aliases.aliases.len = 0; 124 } else { 125 ext.data.u.aliases.aliases.val = 126 calloc(strings->num_strings, 127 sizeof(ext.data.u.aliases.aliases.val[0])); 128 ext.data.u.aliases.aliases.len = strings->num_strings; 129 130 for (i = 0; i < strings->num_strings; i++) { 131 ret = krb5_parse_name(contextp, strings->strings[i], &p); 132 ret = copy_Principal(p, &ext.data.u.aliases.aliases.val[i]); 133 krb5_free_principal(contextp, p); 134 } 135 } 136 137 ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length, 138 &ext, &size, ret); 139 free_HDB_extension(&ext); 140 if (ret) 141 abort(); 142 if (buf.length != size) 143 abort(); 144 145 add_tl(princ, KRB5_TL_EXTENSION, &buf); 146} 147 148static void 149add_pkinit_acl(krb5_context contextp, kadm5_principal_ent_rec *princ, 150 struct getarg_strings *strings) 151{ 152 krb5_error_code ret; 153 HDB_extension ext; 154 krb5_data buf; 155 size_t size = 0; 156 int i; 157 158 memset(&ext, 0, sizeof(ext)); 159 ext.mandatory = FALSE; 160 ext.data.element = choice_HDB_extension_data_pkinit_acl; 161 ext.data.u.aliases.case_insensitive = 0; 162 163 if (strings->num_strings == 1 && strings->strings[0][0] == '\0') { 164 ext.data.u.pkinit_acl.val = NULL; 165 ext.data.u.pkinit_acl.len = 0; 166 } else { 167 ext.data.u.pkinit_acl.val = 168 calloc(strings->num_strings, 169 sizeof(ext.data.u.pkinit_acl.val[0])); 170 ext.data.u.pkinit_acl.len = strings->num_strings; 171 172 for (i = 0; i < strings->num_strings; i++) { 173 ext.data.u.pkinit_acl.val[i].subject = estrdup(strings->strings[i]); 174 } 175 } 176 177 ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length, 178 &ext, &size, ret); 179 free_HDB_extension(&ext); 180 if (ret) 181 abort(); 182 if (buf.length != size) 183 abort(); 184 185 add_tl(princ, KRB5_TL_EXTENSION, &buf); 186} 187 188static int 189do_mod_entry(krb5_principal principal, void *data) 190{ 191 krb5_error_code ret; 192 kadm5_principal_ent_rec princ; 193 int mask = 0; 194 struct modify_options *e = data; 195 196 memset (&princ, 0, sizeof(princ)); 197 ret = kadm5_get_principal(kadm_handle, principal, &princ, 198 KADM5_PRINCIPAL | KADM5_ATTRIBUTES | 199 KADM5_MAX_LIFE | KADM5_MAX_RLIFE | 200 KADM5_PRINC_EXPIRE_TIME | 201 KADM5_PW_EXPIRATION); 202 if(ret) 203 return ret; 204 205 if(e->max_ticket_life_string || 206 e->max_renewable_life_string || 207 e->expiration_time_string || 208 e->pw_expiration_time_string || 209 e->attributes_string || 210 e->kvno_integer != -1 || 211 e->constrained_delegation_strings.num_strings || 212 e->alias_strings.num_strings || 213 e->pkinit_acl_strings.num_strings) { 214 ret = set_entry(context, &princ, &mask, 215 e->max_ticket_life_string, 216 e->max_renewable_life_string, 217 e->expiration_time_string, 218 e->pw_expiration_time_string, 219 e->attributes_string); 220 if(e->kvno_integer != -1) { 221 princ.kvno = e->kvno_integer; 222 mask |= KADM5_KVNO; 223 } 224 if (e->constrained_delegation_strings.num_strings) { 225 add_constrained_delegation(context, &princ, 226 &e->constrained_delegation_strings); 227 mask |= KADM5_TL_DATA; 228 } 229 if (e->alias_strings.num_strings) { 230 add_aliases(context, &princ, &e->alias_strings); 231 mask |= KADM5_TL_DATA; 232 } 233 if (e->pkinit_acl_strings.num_strings) { 234 add_pkinit_acl(context, &princ, &e->pkinit_acl_strings); 235 mask |= KADM5_TL_DATA; 236 } 237 238 } else 239 ret = edit_entry(&princ, &mask, NULL, 0); 240 if(ret == 0) { 241 ret = kadm5_modify_principal(kadm_handle, &princ, mask); 242 if(ret) 243 krb5_warn(context, ret, "kadm5_modify_principal"); 244 } 245 246 kadm5_free_principal_ent(kadm_handle, &princ); 247 return ret; 248} 249 250int 251mod_entry(struct modify_options *opt, int argc, char **argv) 252{ 253 krb5_error_code ret = 0; 254 int i; 255 256 for(i = 0; i < argc; i++) { 257 ret = foreach_principal(argv[i], do_mod_entry, "mod", opt); 258 if (ret) 259 break; 260 } 261 return ret != 0; 262} 263